Code: Select all
# enable gzip compression
gzip on;
gzip_disable "MSIE [1-6]\.(?!.*SV1)";
gzip_http_version 1.1;
gzip_vary on;
gzip_comp_level 4;
gzip_proxied any;
gzip_types text/plain text/xml text/html text/css application/json application/x-javascript application/xml application/xml+rss text/javascript application/javascript text/x-js application/x-font-ttf application/font-woff2 image/x-icon;
gzip_buffers 16 8k;
# Allow embedded fonts from a third-party URL (CDN) & expires headers
location ~* \.(eot|ttf|woff|woff2)$ {
add_header Access-Control-Allow-Origin *;
expires 30d;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
try_files $uri @fallback;
}
#expires headers
location ~* \\.(css|js|gif|jpeg|jpg|png|svg|ico)$ {
expires 7d;
add_header Cache-Control "public, must-revalidate, proxy-revalidate";
try_files $uri @fallback;
}
# Security
# don't send the nginx version number in error pages and Server header
server_tokens off;
# config to enable HSTS(HTTP Strict Transport Security)
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains; preload";
# config to don't allow the browser to render the page inside an frame or iframe
add_header X-Frame-Options "SAMEORIGIN" always;
# This header enables the Cross-site scripting (XSS) filter built into most recent web browsers.
add_header X-Xss-Protection "1; mode=block" always;
# when serving user-supplied content, include a X-Content-Type-Options: nosniff header along with the Content-Type: header,
# to disable content-type sniffing on some browsers.
add_header X-Content-Type-Options "nosniff" always;
#disable sending referrer information when moving from https to http
add_header Referrer-Policy "no-referrer-when-downgrade";